Rpr 28 05 02:22p SVIPG 



408 971 4GG0 



-2- 

i 
i 

IN THE CLAIMS: 
Amended claims follow: 

| 

1 . (Currently Amended) A system for dynamically detecting 
computer viruses through associative behavioral analysis of runtime state, 
comprising: 

a parameter set stored on a client system defining a group of monitored 
events, each monitored event comprising a set of one or more actions defined 
within an object, each action being performed by one or more applications 
executing within a defined computing environment; 

a monitor executing on the client system, comprising: 

a collector continuously monitoring runtime state within the 
defined computing environment for an occurrence of any one of the monitored 
events in the group and tracking a sequence of execution of the monitored events 
for each of the applications; and 

an analyzer identifying each occurrence of a specific event 
sequence characteristic of behavior of a computer virus and the application which 
performed the specific event sequence, creating a histogram describing the 
specific event sequence occurrence for each of the applications, and identifying 
repetitions of the histogram associated with at least one object; 

a storaee manager organizing the histogram s into plurality of 
records ordered bv obiect. application, and monitore d event: and 

a structured database in which the plurality of record s is stored: 

wherein the storage manager stores each histogram for ea ch such 
specific event sequence occurrence in one such database rec ord identified by the 
application bv which the specific event sequence w as performed: 

wherein the storage manager configures the structured da tabase as 
an event log organized bv each event in the group of monitored events and 
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u pdates the date ha^ record storin p each specific event sequence occurrence with 
a revised histogram as each such occurrence is id entified. 

2. (Cancelled) 



3. (Cancelled) 



4. (Cancelled) 

5. (Original) A system according to Claim 1, further comprising: 
the analyzer detecting suspect activities within each histogram, each 

suspect activity comprising a set of known actions comprising a computer virus 
signature. 

6. (Previously Amended) A system according to Claim 5, wherein 
each such suspect activity is selected from a class of actions comprising file 
accesses, program executions, message transmissions, configuration area 
accesses, security setting accesses, and impersonations. 

7. (Previously Amended) A system according to Claim 5, wherein 
each such suspect activity is selected from a group comprising files accesses, 
program executions, direct disk accesses, media formatting operations, sending of 
electronic mail, system configuration area accesses, changes to security settings, 
impersonations, and system calls having the ability to monitor system 
input/output activities. 

8. (Previously Amended) A system according to Claim 1 , wherein the 
computer virus comprises at least one form of unauthorized content selected from 
a group comprising a computer virus application, a Trojan horse application, and 
a hoax application. 
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9. (Currently Amended) A method for dynamically detecting 
computer viruses through associative behavioral analysis of runtime state, 
comprising: 

defining a group of monitored events, each monitored event comprising a 
set of one or more actions defined within an object, each action being performed 
by one or more applications executing within a defined computing environment; 

continuously monitoring runtime state within the defined computing 
environment for an occurrence of any one of the monitored events in the group; 

tracking a sequence of execution of the monitored events for each of the 
applications; 

identifying each occurrence of a specific event sequence characteristic of 
behavior of a computer virus and the application which performed the specific 
event sequence; 

creating a histogram describing the specific event sequence occurrence for 
each of the applications; an4 

identifying repetitions of the histogram associated with at least one object; 

organizing the histograms into plurality of records ord ered bv object, 
a pplication, and monitored event: 

maintaining a structured database in which the plurality of records is 

stored: 

storing each histogram for each such specific ev ent sequence occurrence 
in one such database record identified bv the a p plication b v which the specific 
event se q uence was performed: 

configuring the structured database as an even t log organized by each 
event in the group of monitored events: and 

updating the database record storing each specific eve nt sequence 
occurrence with a revised histogram as each such occurren ce is identified. 

10. (Cancelled) 
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11. (Cancelled) 

12. (Cancelled) 

13. (Original) A method according to Claim 9, further comprising; 
detecting suspect activities within each histogram, each suspect activity 

comprising a set of known actions comprising a computer virus signature. 

14. (Previously Amended) A method according to Claim 13, wherein 
each such suspect activity is selected from a class of actions comprising file 
accesses, program executions, message transmissions, configuration area 
accesses, security setting accesses, and impersonations. 

1 5. (Previously Amended) A method according to Claim 1 3, wherein 
each such suspect activity is selected from a group comprising files accesses, 
program executions, direct disk accesses, media formatting operations, sending of 
electronic mail, system configuration area accesses, changes to security settings, 
impersonations, and system calls having the ability to monitor system 
input/output activities. 

1 6. (Previously Amended) A method according to Claim 9, wherein 
the computer virus comprises at least one form of unauthorized content selected 
from a group comprising a computer virus application, a Trojan horse application, 
and a hoax application. 

17. (Currently Amended) A computer-readable storage medium 
holding code for dynamically detecting computer viruses through associative 
behavioral analysis of runtime state, comprising: 

defining a group of monitored events, each monitored event comprising a 
set of one or more actions defined within an object, each action being performed 
by one or more applications executing within a defined computing environment; 
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continuously monitoring runtime state within the defined computing 
environment for an occurrence of any one of the monitored events in the group; 

tracking a sequence of execution of the monitored events for each of the 
applications; 

identifying each occurrence of a specific event sequence characteristic of 
behavior of a computer virus and the application which performed the specific 
event sequence; 

creating a histogram describing the specific event sequence occurrence for 
each of the applications; aftd 

identifying repetitions of the histogram associated with at least one object; 

organizing the histograms into plurality of records ordered by object, 
a pplication, and monitored event: 

maintaining a structured database in which the plurality of records is 

stored: 

storing each histogram for each such specific event sequence occurrence 
in one such database record identified by the application by which the specific 
event sequence was performed: 

configuring the structured database as an event log organized by each 
event in the group of monitored events: and 

updating the database record storing each specific event sequence 
occurrence with a revised histogram as each such occurrence is identified . 

18. (Cancelled) 

19. (Cancelled) 

20. (Cancelled) 

21 . (Original) A storage medium according to Claim 1 7, further 
comprising: 
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detecting suspect activities within each histogram, each suspect activity 
comprising a set of known actions comprising a computer virus signature. 
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